Core Insights - Cloudflare experienced a significant outage affecting 28% of global websites due to internal errors rather than external attacks, marking the second incident in two weeks [2][3] Group 1: Incident Details - The outage on December 5 was caused by Cloudflare's attempts to address a serious vulnerability in React Server Components, leading to HTTP 500 errors [2] - The issue stemmed from a combination of expanding the WAF buffer and disabling an internal testing tool, which inadvertently triggered a long-dormant Lua bug in the old FL1 proxy [2][3] - The affected clients were those using the old proxy with managed rule sets, which accounted for a significant portion of traffic [3] Group 2: Systemic Issues - The incident highlighted the risks associated with legacy code, as the Lua code, established in 2009, could not be fully replaced, allowing bugs to resurface years later [3] - Cloudflare's new FL2 version, rewritten in Rust, does not have these issues, indicating a need for modernization [3] - The company has committed to freezing all network changes and prioritizing improvements in its release processes and emergency response capabilities [3] Group 3: Broader Implications - The repeated incidents underscore a critical challenge in internet infrastructure: preventing updates from causing system failures, which is becoming more urgent than merely defending against attacks [3]